Enterprise Management Associates
Published: 12 Jan 2012
Skepticism about next-generation firewalls is finally ending according to the new Gartner firewall Magic Quadrant. Now as enterprises implement the new technology, they've got to overcome the kinks that come along with it.
Gartner's research shows that stateful firewalls, which make decisions based on ports and protocols, are now considered a legacy technology while enterprises are evaluating and installing next-generation firewalls in large numbers.
“I think traditional firewalls aren’t stopping the majority of threats that are hitting companies,” said Mark Starry, CTO of Capital Region Healthcare and Concord Hospital in New Hampshire. “Every other month I get on the phone with a hospital that has been infected with something and they’re just using a standard firewall with some kind of IPS [Intrusion Prevention System] glommed onto it.”
Starry replaced his legacy Check Point Software and Juniper Networks firewalls two years ago with next-generation firewalls from Palo Alto Networks. He’s seen all of the other large hospitals in New Hampshire switch to Palo Alto this year.
“One [hospital] that had a massive infection that cost them three days of operations is in the evaluation process with Palo Alto right now,” he said.
Firewall Magic Quadrant: Next-generation firewalls rule
Next-generation firewalls, also known as application-aware firewalls, usually have the traditional ports and protocol analysis capabilities of a traditional stateful firewall, but they can also evaluate traffic based on the applications that generate the packets crossing the wire. This capability has become critical in recent years with the explosion of Web-based applications that most statefull firewalls can only identify as HTTP traffic headed for Port 80.
Analyst firm Gartner has been arguing for a few years that next-generation firewalls are the future of the firewall industry, and in its latest enterprise firewall Magic Quadrant, that trend is more evident than ever. Gartner has promoted Palo Alto Networks, whose technology has earned it visionary status in past years, to a market leader, alongside Check Point Software.
Meanwhile, Juniper Networks, a long-time leader in Gartner’s Magic Quadrant whose firewalls are more in line with traditional, stateful firewalls, has moved into the challenger quadrant, a status it share with Cisco Systems, McAfee and Fortinet. Cisco’s firewalls are also limited in terms of next-generation capabilities. The Magic Quadrant identifies challengers as companies who have the sales and support organizations to execute the solutions that they have but who lack a strong technology vision.
“We’ve waited for the firewall vendors to move into this next-generation firewall space,” said Greg Young, research vice president at Gartner. “But they just kept on believing in IPS. And the quality of those IPSes were really bad. They couldn’t compete with standalone [next-generation firewalls]. The standalone offerings kept getting larger and the [legacy] firewall vendors kept ignoring the market. Then it got to the point where customer demand was greater than what was being offered by any vendors in this space. So we cranked up the criteria [in the Magic Quadrant] to say that if someone wants to lead the market they need to address [next-generation firewalls] quickly.”
Young said the majority of calls that he receives from Gartner consulting clients about firewalls focus on next-generation firewalls. Either they want to invest in them, or at the very least they want to learn all about them.
“I think customers were rightfully skeptical about moving to next-generation firewalls [a couple years ago], but now there are viable offerings and a lot of competition in the market,” Young said. “Customers are starting to switch over.
Next-generation firewalls: Potential implementation headaches
The application-layer analysis that next-generation firewalls perform is computationally intensive, so enterprises must be careful when deploying these new devices, according to Gartner’s Young. For instance, many Unified Threat Management [UTM] vendors market their appliances as next-generation firewalls, but enterprises will discover very quickly that these boxes are much more appropriate for smaller companies. When they turn on all the features, including application inspection, a UTM appliance will become a severe bottleneck.
“We’ve seen bad sizing problems already,” Young said. “Most of the sizing problems were where you tried to turn on features that weren’t designed for the enterprise. UTM for the enterprise, we are very critical of that. A lot of the other problems with performance come from next-generation firewalls not being integrated. If it’s just sheet metal integrated, where they’re throwing a lot of stuff onto the same box, then that’s where problems come and you get really low performance.”
More on next-generation fireawalls
Next-generation firewalls don’t fill every niche
Three years ago, just 1% of Internet connections were secured with next-gen firewalls
Read what we had to say about last year’s firewall magic quadrant
But Young emphasizes that a lot of firewall vendors have strong and enterprise-grade next-generation firewall products available now. Individual vendors will argue over whose product is best, but it’s up the firewall buyers to trial the products themselves and find out which works best for their environments.
Next-generation firewalls will also mark a cultural shift for the operations team. Firewall administrators who have spent years writing rules for ports and IP addresses will find that a new world of next-generation firewalls will force them out of their comfort zone.
“It puts the idea of a firewall on its head,” said Starry of Capital Region Healthcare. “You’re writing application-based rules, not just ports and IPs. And firewall administrators have a hard time getting their heads around application-based rules. You can do both and you have to do both.”
Next-generation firewalls: Look beyond application granularity
Steve Gilmer, a system administrator with the University of California-Irvine Extension, said application visibility is important, but it wasn’t his sole focus when he was shopping for a next-generation firewall.
Gilmer, who has installed WatchGuard firewalls to secure classrooms at his university, said he has struggled to learn more about how each next-generation firewall performs when decrypting and inspecting HTTPS traffic. He has identified HTTPS as a significant threat for malware intrusion, but most firewall vendors don’t recommend decrypting HTTPS for inspection. Instead, they argue that their products can detect any malware as it tries to call out from within the network, allowing network security operations to isolate infected machines within the network.
“Obviously the malware is already inside your network, and that’s a problem,” Gilmer said.
With that in mind, Gilmer is also interested in learning more about how each individual firewall vendor detects malware. Many vendors rely on third-party vendors to provide that capability, but it’s difficult to evaluate how each vendor stacks up against each other.
Let us know what you think about the story; email: Shamus McGillicuddy, News Director